This bug was fixed in the package rsync - 3.2.7-1ubuntu1
---
rsync (3.2.7-1ubuntu1) noble; urgency=medium
* add d/p/fix_crashes_with_fortified_strlcpy.patch (LP: #2060967)
- Fixes a buffer overflow when using -F flag.
-- Mitchell Dzurick Fri, 12 Apr 2024
10:09:41 -0700
**
Package is in proposed now. Testing in an LXC container shows a fix of
this behavior.
$ lxc launch ubuntu-daily:noble n
$ lxc shell n
# dpkg -s rsync | grep Version:
Version: 3.2.7-1build2
# rsync -F --delete-after --archive /etc/os-release /tmp/
*** buffer overflow detected ***: terminated
I'm surprised this wasn't caught by the DEP8 tests. Care to also perhaps
add a simple smoke test, like (note it's not using ssh or any network):
$ rsync -F --delete-after --archive /etc/os-release /tmp/
*** buffer overflow detected ***: terminated
rsync: connection unexpectedly closed (34 bytes
The debian patch looks promising in my local testing. I uploaded a test
package to run dep8 tests against. If those look green I'll submit my MP
and get it in ASAP.
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to rsync in
** Changed in: rsync (Ubuntu)
Assignee: (unassigned) => Mitchell Dzurick (mitchdz)
** Changed in: rsync (Ubuntu)
Status: Triaged => In Progress
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to rsync in Ubuntu.
** Merge proposal linked:
https://code.launchpad.net/~mitchdz/ubuntu/+source/rsync/+git/rsync/+merge/464218
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to rsync in Ubuntu.
https://bugs.launchpad.net/bugs/2060967
Title:
This looks like it could already be fixed in debian with
https://salsa.debian.org/debian/rsync/-/commit/d3a0eccf989175b096c10b6c42b02b1ee1306a00
I'll try an ubuntu build with this patch and report back.
--
You received this bug notification because you are a member of Ubuntu
Touch seeded
** Also affects: rsync (Ubuntu Focal)
Importance: Undecided
Status: New
** Also affects: rsync (Ubuntu Jammy)
Importance: Undecided
Status: New
** Also affects: rsync (Ubuntu Mantic)
Importance: Undecided
Status: New
** Changed in: rsync (Ubuntu Focal)
I was able to reproduce this in a noble LXD container.
$ lxc launch ubuntu-daily:noble n
$ lxc shell n
# ssh-keygen -t rsa
# cat ~/.ssh/id_rsa.pub >> ~/.ssh/authorized_keys
# touch testfile.txt
# rsync -F --delete-after --archive /root/testfile.txt 127.0.0.1:/tmp/
The authenticity of host
Quickly testing Jammy/Mantic in a similar fashion as above I do not see
the buffer overflow.
** Changed in: rsync (Ubuntu)
Status: Confirmed => Triaged
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to rsync in Ubuntu.
Status changed to 'Confirmed' because the bug affects multiple users.
** Changed in: rsync (Ubuntu)
Status: New => Confirmed
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to rsync in Ubuntu.
11 matches
Mail list logo
